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1.0 Introduction 

Under the guidance of processes provided by Crew Transportation Plan (CCT-PLN-1 100), this 
document, with its sister documents. International Space Station (ISS) Crew Transportation and 
Services Requirements Document (CCT-REQ-1130), Crew Transportation Technical Standards and 
Design Evaluation Criteria (CCT-STD-1140), Crew Transportation Operations Standards (CCT STD- 
1150), and ISS to Commercial Orbital Transportation Services Interface Requirements Document (SSP 
50808), provides the basis for a National Aeronautics and Space Administration (NASA) certification 
for services to the ISS for the Commercial Provider. When NASA Crew Transportation System (CTS) 
certification is achieved for ISS transportation, the Commercial Provider will be eligible to provide 
services to and from the ISS during the services phase. 

1.1 Purpose 

The purpose of this document is to provide Commercial Providers a summary of the technical 
management processes that support the design, development, test, evaluation, and certification effort and 
NASA’s expectations of the processes and products that NASA considers crucial to a successful 
development effort. 

1.2 Scope 

This document and its supporting documents are applicable to the design, development, test, evaluation, 
certification, production and operation of the end-to-end CTS. The end-to-end CTS includes all assets 
and processes required to transport NASA crew to and from the ISS, including: 

• An integrated space vehicle. 

• Supporting systems for production, ground, flight, and recovery operations. 

• Capabilities and processes for pre-flight planning and trajectory and abort analysis. 

• Crew health and medical care. 

• Capabilities and processes for manufacturing, ground processing, mission control, launch control, 
and post-landing recovery. 

• Safety and mission assurance. 

• Training processes for operations personnel and crew. 

1.3 Precedence 

In the event of a conflict between the text of this document and references cited herein, the text of this 
document takes precedence. Nothing in this document supersedes applicable laws and regulations, 
unless a specific exemption has been obtained. 

1.4 Delegation of Authority 

This document was jointly prepared by the CCP and the ISS Program and will be managed by the 
CCP. CCT-PLN-1 120 will be maintained in accordance with standards for the CCP 
documentation. The CCP is responsible for assuring the definition, control, implementation, and 
verification of the CCP requirements identified in this document. 

1.5 Verb Application 

Throughout this document and its supporting documents, statements containing shall are used for 
binding requirements even in the absence of specific verifications. It is understood that after the plans 
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and processes are approved, they will be verified through surveillance; will is used as a statement of fact, 
declaration of purpose, or expected occurrence; and should denotes a statement of best practice. 
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2.0 Documents 


2.1 Applicable Documents 


Document Number 

Title: Description 

AS9100 

Quality Management Systems: Aviation, Space, and Defense Organizations 

NASA-STD-8719.13 

NASA Software Safety Standard, Chapter 7 

NASA-STD-8739.8 

NASA Software Assurance Standard, Sections 6, 7.1, 7.2.4, 7. 3,7.4 

SSP 30234 

Failure Modes and Effects Analysis and Critical Items List Requirements for 
ISS 

SSP 30309 

ISS Safety Analysis and Risk Assessment Requirements 

SSP 30599 

ISS Safety Review Process 

SSP 41170 

ISS Configuration Management Requirements 


2.2 Reference Documents 


Document Number 

Title: Description 

CCT-PLN-1010 

Mishap Preparedness and Contingency Plan (MPCP)for CCP 

CCT-REF-1121 

Probabilistic Safety Analysis Methodology Guide 

NPR 8715.3 

NASA General Safety Program Requirements 

SSP 50108 

ISS CoFR Process Document 
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3.0 Program Management and System Engineering Elements 

The Commercial Provider shall develop and implement program plans with sufficient detail to convey 
the approach for accomplishing program objectives. These plans are intended to span the CTS life-cycle. 

3.1 Project Management 

The Commercial Provider is responsible for the project management of the CTS, which includes 
developing, utilizing, and maintaining the tools to enable management of the CTS. 

3.1.1 Project Management and System Engineering Data Products 

In support of CTS certification, the products shall include, at a minimum, the following: 

• A Project Management Plan (PMP) for the purpose of providing a roadmap for executing, 
monitoring, and controlling the project. Core components may be described with subsidiary plans 
or in the PMP. Subsequent sections cover topical expectations. 

• Other plans not addressed by the PMP that capture the approach to the management of 
requirements, peer reviews/checks, handling of dissenting opinions, data (operational and non- 
operational), risk, cost, scope, schedule, change control, process control, quality assurance, 
performance reporting, and as applicable, maintenance, refurbishment, and disposal of the 
spacecraft and launch vehicle. 

3.1.2 Project Management and System Engineering NASA Focus Areas 

NASA will assess the PMP and supporting documentation for adequacy of the management approach 
and processes used. This includes the evaluation of the Commercial Provider’s compliance with the 
contents noted above. 

3.2 Configuration Management 

The Commercial Provider will own and maintain configuration control over its requirements, 
specifications, flight products, numerical models, and drawings that govern the development and 
baseline configuration of the CTS. The Commercial Provider is responsible for integrated change 
control and tracking, and managing the actual changes when and as they occur. To this end, the 
Commercial Provider shall define the tools and techniques to manage and document the integrated, 
approved CTS configuration including systems, equipment, and operations products; control, record, 
and report changes; and audit the systems and items to verify conformance. 

3.2.1 Configuration Management Data Products 

In support of CTS certification, the products shall include, at a minimum, the following: 

• A Configuration Management (CM) Plan, processes, procedures and data to include project- 
approved and controlled information, change packages, non-conformance reporting and 
disposition, audit results, requirement and verification traceability, associated performance data, 
and an overview of the tools utilized for configuration control. 

3.2.2 Configuration Management NASA Focus Areas 

NASA will assess the CM Plan for adequacy of the technical and management approach and processes 
used. This includes the evaluation of the Commercial Provider’s compliance with the contents noted 
above as well as supporting documentation for the following: 
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• Adequacy of tracking. 

• Incorporation of updates or modifications to include re-validation prior to use, as appropriate. 

• Coordination across disciplines and functional areas and notification to stakeholders. 

• Audit strategy and results. 

• Corrective action. 

• Lessons learned. 

3.3 Risk Management 

The Commercial Provider is responsible for the development and implementation of a risk management 
process. 

3.3.1 Risk Management Data Products 

In support of CTS certification, the products shall include, at a minimum, the following: 

• A Risk Management Plan that documents the full life-cycle of a risk process together with 
approval, mitigating, acceptance, reporting, and integration mechanisms throughout the life-cycle 
of the CTS. The considerations for operations products and the management of operational risks 
are contained in the operational standards outlined in CCT-STD-1 150. 

3.3.2 Risk Management NASA Focus Areas 

NASA will assess the Risk Management Plan for adequacy of the technical and management approach 
and processes used. This includes the evaluation of the Commercial Provider’s compliance with the 
contents noted above as well as supporting documentation for the following: 

• Adequacy of risk identification efforts. 

• Risk characterization criteria, mitigation, and elevation. 

• Risk control (ensure results can affect decisions throughout the CTS life-cycle). 

• Risk response planning to include contingency and residual risk planning. 

3.4 Requirements Management 

The Commercial Provider is responsible for developing, implementing, and maintaining a closed-loop 
requirements management process to ensure hardware, software, support equipment, ground systems 
processing, and configuration requirements are accomplished for all configuration managed systems and 
equipment. 

3.4.1 Requirements Management Data Products 

In support of CTS certification, the products shall include, at a minimum, the following: 

• Requirements Management Plan, processes, and supporting data. 

3.4.2 Requirements Management NASA Focus Areas 

NASA will assess the Requirements Management Plan for adequacy of the technical and management 
approach and processes used. This includes the evaluation of the Commercial Provider’s compliance 
with the contents noted above as well as supporting documentation for the following: 

• Requirements allocation and traceability (includes parent/child relationships and “meet the intent” 
requirements). 
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• Verification and Validation (V&V) planning and results with supporting data (any models and/or 
analysis data, test data, and results). 

• Variance and constraint handling. 

3.4.3 NASA Requirements Management 

Where the evaluation of NASA requirements results in non-compliance, the Commercial Provider may 
request relief in the form of a variance. A variance may take one of several forms, as defined below: 

• Variance : A formal request for relief from a requirement. Variances should be submitted as 
early in the life-cycle or workflow process as practical. A variance can be an exception, 
deviation or waiver. 

• Exception : A variance that authorizes permanent relief from a specific requirement and may be 
requested at any time during the life-cycle of the program. 

• Deviation : A variance that authorizes temporary relief in advance from a specific requirement 
and is requested during the formulation/planning/design stages of a program operation to address 
expected situations. 

• Waiver : A variance that authorizes temporary relief from a specific requirement after the 
baseline system has been approved. Waivers are requested during the implementation of a 
program or operation to address situations that were unforeseen during design or advanced 
planning. 

Requests for variance to CCP requirements shall include, at a minimum, the following: 

a. Detailed rationale for the request. 

b. Risk assessment with and without approval. 

c. Risk mitigations and controls in place, if any. 

d. Effectivity. 

Variances will be reviewed and approved through the CCP board structure. Requests for variance to 
SSP 50808 shall be processed in accordance with SSP 41 170. 

3.5 Interface Management 

The Commercial Provider is responsible for establishing procedures and practices to ensure proper 
interface definition, documentation, and compliance throughout the CTS life-cycle. 

3.5.1 Interface Management Data Products 

In support of CTS certification, the products shall include, at a minimum, the following: 

• Interface requirements for the CTS elements, external interfaces including operational (e.g., 
spacecraft to ISS), and interface definition documentation. 

3.5.2 Interface Management NASA Focus Areas 

NASA will assess Interface Requirements and Control Documents for technical completeness and 
accuracy. This includes the evaluation of the Commercial Provider’s compliance with the contents 
noted above. 
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3.6 Quality Assurance 

The Commercial Provider is responsible for developing and implementing a quality management system 

that assures quality requirements are flowed down from design into the manufacturing and operational 

processes. 

3.6.1 Quality Assurance Data Products 

In support of CTS certification, the products shall include, at a minimum, the following: 

• A Quality Management Plan (compliant with AS9100). 

• Associated reports and products, including requirement traceability that describes the quality 
requirements; the requirement driver; and how, where, when, and by whom they are implemented 
and verified. 

3.6.2 Quality Assurance NASA Focus Areas 

NASA will assess the following: 

• Adequacy, completeness, and effectiveness of the Quality Management Plan. 

• Requirement traceability for completeness and accuracy. 

• Nonconformance control reports for completeness, adequacy, and effectiveness of the engineering 
disposition. 

• Corrective and preventative action reports for effectiveness of the root cause investigation and 
corrective actions. 

• Government Industry Data Exchange Program (GIDEP) records for completeness, disposition, and 
closure. 

• Calibration maintenance records for measuring and test equipment for completeness and 
adequacy. 

3.7 Technical Reviews 

The Commercial Provider shall hold Milestone Reviews to include, at a minimum, those shown in Table 

3-1. The purpose of these reviews is to formally evaluate progress towards CTS certification. 

Descriptions of typical Milestone Reviews are shown in Appendix G, Table G-1. 

Table 3-1: Milestone Reviews 


Review 

Description 

Certification Baseline 
Review (CBR) 

The Commercial Partner shall co-chair with NASA a Certification Baseline 
Review (CBR) after award of contract(s) for the second phase of NASA’s 
CTS Certification activities. The purpose of the CBR is to establish the CTS 
design baseline, the Commercial Partner’s certification plan, life-cycle costs, 
and schedules for CTS certification. 

Design Certification 
Review (DCR) 

Prior to the first low Earth orbit (EEO) crewed test flight, the flight test 
readiness process will include a Design Certification Review of applicable 
elements from completed CTS Certification Milestones (for an interim CTS 
certification) and a Elight Test Readiness Review. The DCR formally 
documents the configuration baseline (hardware, software, and processes used 
in design, production, and operations) and the conditions under which the 
CTS is certified (performance, fabrication and operational environments. 
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constraints). The DCR also presents the current state of the verification and 
validation effort, including the overall status of all verification closures and 
any changes to the V&V plan since CBR. 

Flight Test Readiness 
Review (FTRR) 

For crewed flight tests, the FTRR examines tests, demonstrations, analyses, 
and audits that determine the system's readiness for a safe and successful 
flight/launch and for subsequent flight test operations. It also ensures that all 
flight and ground hardware, software, personnel, and procedures are 
operationally ready. 

Operations Readiness 
Review (ORR) 

Upon successful completion of the flight test phase of crewed flights, an 
Operational Readiness Review will be conducted. The ORR occurs once 
during the program life-cycle (or at the introduction of new or significantly 
modified systems/facilities). The ORR evaluates all project and support 
(flight and ground) hardware, software, personnel, plans, processes, and 
procedures to ensure flight and associated ground systems are in compliance 
with program requirements and constraints during the sustaining phase. 

Certification Review 

Upon successful completion of all flight tests, any delta DCRs, and the ORR, 
the Certification Review determines that the CTS meets the Design Reference 
Mission (DRM) for which it was developed. 

Flight Readiness 
Review (FRR) 

The FRR examines tests, demonstrations, analyses, and audits that determine 
the system's readiness for a safe and successful flight/launch and for 
subsequent flight operations. It also ensures that all flight and ground 
hardware, software, personnel, and procedures are operationally ready. 


3.7.1 Technical Review Data Products 

In support of CTS certification, at a minimum, the Commercial Provider shall address at milestone 
reviews the types of data shown in Appendix F and H. 

3.7.2 Technical Review NASA Focus Areas 

NASA will review supporting documentation for successful entrance and exit criteria, such as: 

• Provider risks and mitigation strategies identification. 

• Compliance with requirements. 

• Compliance to Provider plans and processes. 

• Description of the systems and architecture (hardware, software, legacy, interfaces, and facilities). 

• Constraints affecting system development. 

• Credible con-ops and cost, schedule and investment review, and mission feasibility. 

• Interfaces to other NASA Programs and Commercial Providers, as well as, external interfaces. 

• Test and evaluation strategy and life-cycle support (logistics, manufacturing operations). 

• Quality assurance, safety, reliability, and maintainability metrics meet acceptable risk level and 
adequate margins. 

• V&V Plan status. 

• Approved/configuration-controlled documentation for each subsystem (specifications, drawings), 
interface control documents and requirements flow down (verifiable), certification plans, and 
certification data packages. 

• Test plans and procedures for fabrication, assembly and integration, test, and launch operations. 
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• Operational limits and constraints. 

• Command and telemetry list. 

• Production tools, materials, operations, processes, and methods are consistent with quality 
requirements and occupational safety, environmental, and energy conservation requirements. 

• Production and support staff are qualified and trained. 

• All integration plans and procedures are completed. 

• All elements and/or components are available for integration and have been verified against all 
mechanical, electrical, functional, and safety interface requirements. 

• Closure of actions and plans. 

• Technical planning that is sufficient to proceed to next development phase. 

3.8 Mishap Reporting and Investigation Process 

The Commercial Provider shall provide, develop, and manage a Mishap Reporting and Investigation 
Plan and process that is compatible with 51 USC Section 70101 et seq (accommodates an Accident 
Investigation Board appointed by the President). 

3.8.1 Mishap Reporting and Investigation Process Data 

The mishap reporting and investigation process shall include, at a minimum: 

• A data repository to document events, including investigation findings and corrective actions. 

• Methods for trending mishap and close-call data over time to determine if there is a common root 
cause, an unidentified process escape, or an increase/decrease in overall events. 

• Methods for communicating mishaps/close-call events, investigation findings, and 
recommendations to the Commercial Provider. This includes timeframes for initial reporting, 
investigation statuses, and investigation closures. 

• Data and reports associated with non-CCP missions for similar systems. 

3.8.2 Mishap Reporting and Investigation Process NASA Focus Areas 

NASA will assess the mishap plans and processes for completeness. 
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4.0 Design and Development 

The Commercial Provider will own, manage, and control the design and safety analysis approach and 
processes for producing a design that meets requirements, as well as identifying, understanding, 
eliminating, and controlling hazards and risks to safety. NASA will review and approve the safety 
analysis to assess the design and to evaluate the risk to crew health and safety. 

4.1 Alternate Design and Manufacturing Standards 

The Commercial Provider shall propose alternatives to satisfy “meet the intent of’ requirements in CCT- 
REQ-1 130 where the Commercial Provider opts not to utilize the NASA standard. Alternate Standards 
are defined as any change to the NASA prescribed standard. CCT-STD-1 140 will be utilized by the CCP 
as the evaluation criteria for acceptable alternative standards. NASA will work with the Commercial 
Provider to agree on content. 

Alternate standards will be reviewed and approved at the CCP Program Control Board (PCB). Once the 
alternate standards have been approved, they will be used in the Commercial Provider’s CTS 
certification evaluation. The NASA standard will remain as the baseline requirement until an alternate 
standard is approved by NASA. Changes will be approved through the CCP board structure. 

4.2 System Safety and Reliability 

The Commercial Provider shall incorporate safety and reliability into the design process to identify and 
eliminate catastrophic hazards, and to control critical hazards for all mission phases. If elimination is 
not practical, the Commercial Provider shall put in place controls that reduce the risk to an acceptable 
level that ensures crew safety. These controls shall be verified. 

The safety and reliability processes provide an integrated, systematic, and comprehensive approach, 
which can be used to determine the need for design changes and safety measures, such as failure 
tolerance, based on an understanding of the risk to the crew due to individual hazards, as well as the 
system as a whole. These methods are used to balance risks and trades by identifying hazards and 
developing hazard controls based on assessments of crew risk and rankings of risk scenarios. In this 
way, the level of failure tolerance and other safety measures can be selected commensurate with the risk 
posed to the crew. This includes the evaluation of hardware and software capabilities, limitations, and 
interdependence, as well as environmental and human factors relevant to safety. 

The safety and reliability processes shall: 

• Emphasize the use of industry standard safety and reliability analyses (e.g., hazard, failure modes 
and effects, criticality, etc.) throughout the life-cycle (i.e., design, manufacture, and operation) of 
the Commercial Provider’s CTS, as well as during any changes to the approved design and/or 
operation. 

• Provide detailed plans for the communication and acceptance of risk to stakeholders and/or the 
appropriate control boards to ensure residual risk is appropriately managed. 

• Include methodologies for performing qualitative assessments of the probability of occurrence and 
the severity of hazards, including detailed definitions for likelihood and severity categories that 
will be used by the Commercial Provider to ensure a uniform method of assessing hazards. 

• Provide for closed-loop tracking and verification of hazard controls to include operations controls 
(e.g.. Launch Commit Criteria (LCC), flight rules, procedures, or other means). 
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• Include a plan for communication and approval of safety and reliability analyses. 

The safety analysis shall include an assessment of crew survival strategies for all mission phases and the 
system capabilities required to execute each strategy. The scenarios should include system failures and 
emergencies (such as fire, collision, toxic atmosphere, decreasing atmospheric pressure, and medical 
emergencies) with specific capabilities or proposed capabilities (such as abort, safe haven, rescue, 
emergency egress, emergency systems, and emergency medical equipment or access to emergency 
medical care) identified to protect the crew. The results will be used to verify and validate the capabilities 
provided by the design of the system and make crew survival an integrated element of the design process. 

4.2.1 System Safety and Reliability Data Products 

The Commercial Provider shall provide a Safety and Reliability Plan, which describes how safety and 
reliability analytical methodologies are integrated into the design process and used to identify and 
eliminate or control catastrophic or critical hazards and balance risks and trades. This shall include, at a 
minimum, the processes for hazards analysis, failure modes and effects analysis, and Probabilistic Safety 
Analysis (PSA). To the extent that it applies, the Commercial Provider shall leverage off historical 
performance data to guide the implementation of the approaches, and shall describe the process for 
utilization of historical information. 

NASA recognizes software Independent Verification and Validation (IV&V) as a valuable risk 
reduction technique. For all flight and ground software for which NASA requires insight, the plan shall 
address the process of software IV&V in accordance with CCT-REQ-I130, software engineering 
requirements. The IV&V Agent shall independently select the segments of the software, hardware and 
system to analyze and test, choose the IV&V techniques, define the schedule of IV&V activities, and 
select the specific technical issues and problems to act on and will document this. The IV&V Agent 
shall provide its findings in a timely fashion to both the software development organization and to the 
Commercial Provider’s management. The IV&V effort is intended to identify gaps and deficiencies in 
the software developer's processes to include areas such as requirements, software designs, development 
and testing which might be corrected or be subsequently documented as a formal Program risk. Closed- 
Loop tracking of the IV&V Agent’s findings shall be maintained and tracked to closure to include the 
Commercial Provider’s disposition of these comments. The findings of the IV&V Agent, along with the 
corresponding Commercial Partner’s disposition shall be shared with NASA at pre-determined intervals. 

For software and safety items where ISS is identified as being an affected party and/or stakeholder, the 
plan shall address: 

• The process for complying with SSP 30234; SSP 30309; NASA-STD-8739.8 Sections 6, 7.1, 
7.2.4, 7.3 and 7.4; and NASA-STD-8719.13 Chapter 7. 

• The process of software independent verification and validation. 

The Commercial Provider shall make available the results of the associated analyses, such as hazard 
analysis, failure modes and effects analysis reports, which support design decisions. This 
documentation shall provide sufficient detail to clearly identify potential hazards, causes, likelihood and 
consequence, the design changes made, and the controls put in place to mitigate the hazards, along with 
rationale supporting these decisions. 
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Hazard reports shall mature during the design development process as additional details are generated 
consistent with the CTS design maturation and established milestones. By the end of the development 
process, the hazard reports shall include, at a minimum, the following: 

• Summary of hazard analysis results. 

• Hazard description and effect, including upstream and downstream effects. 

• A risk assessment for each hazard cause. 

• A risk matrix that captures a snapshot of the total risk of the hazard. 

• Failure modes that can lead to a hazard (cross-referenced to failure modes and effects analysis, if 
available). 

• Failure modes and how the failure can affect interfacing subsystem operations. 

• The system component or mission phase that the analysis is concerned with. 

• The configuration or phase of the mission that the system is in when the hazard is encountered 
(e.g., maintenance, during flight, ground processing, etc.). 

• Recommended design or actions necessary to eliminate or control the hazard. 

• Description of the design and operational controls. 

• Verification for the hazard controls (e.g., design features, inspections or tests, procedures in 
operations and maintenance manuals, LCC, flight rules, or other means). 

Each hazard report shall stand alone. Data required to understand the hazard, the hazard controls, and 
the safety/engineering verification methods shall be attached to the report. Examples of such data 
include logic diagrams; description of the applicable flight/support system and its operation; a listing of 
the sequence of events; a list of critical procedures/processes that require special verification; lists of 
mechanisms; lists of connections made or broken; lists of penetrations to space and associated seals; and 
summaries of proposed tests or test results. 

Hazard report format shall contain, as a minimum, the above bulleted list, as well as, the content 
specified in accordance with SSP 30599, Appendix D. 

4.2.2 System Safety and Reliability NASA Focus Areas 

NASA will review and approve the safety and reliability products through a phased safety review 
process, assess the Commercial Provider’s determination of risk likelihood and consequence, and 
evaluate whether the design decisions and hazard controls put in place by the Commercial Provider are 
sufficient to ensure crew safety. In addition, for operations controls, NASA will verify the Commercial 
Provider meets the intent of CCT-STD-1150, Section 4. 

4.3 Probabilistic Safety Analysis 

The Commercial Provider shall conduct a probabilistic safety analysis (PSA). The PSA is a structured 
probabilistic treatment of scenarios, likelihood, and consequences. It consists of the application of 
probabilistic methods and related processes to evaluate safety. The CCP utilizes the PSA to evaluate the 
risks of Loss of Crew (LOC) and Loss of Mission (LOM). The PSA is applied throughout design 
development, as well as during the operational phase, in order to verify through analysis that a 
Commercial Provider’s CTS meets established LOC and LOM requirements. During the design phase, 
it is expected that the PSA will be utilized to assist design decisions to minimize risk. 

An overview of the PSA process guidelines and NASA’s expectations for the performance of a PSA are 
provided in Probabilistic Safety Analysis Methodology Guide (CCT-REL-1 121). 
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4.3.1 Probabilistic Safety Analysis Data Products 

The results of the PSA, with supporting data, shall include, at a minimum, the following: 

• Estimates of the LOC/LOM probability, including associated Bayesian uncertainties for the entire 
mission, as well as for any system, function, or mission phase for which the Agency or Program 
has established safety goals, thresholds, or requirements, or for which the Commercial Provider 
has established an allocation. 

• A risk profile (distribution of the total LOC or LOM probability) consisting of LOC or LOM 
estimates for individual risk contributors that jointly equal the mission-level LOC or LOM 
probability estimate. 

4.3.2 Probabilistic Safety Analysis NASA Focus Areas 

Assessment of the PSA process will be measured upon the thoroughness of individual technical 
products, together with an integrated analysis, where applicable. Emphasis will be placed on the 
incorporation of a systematic and comprehensive PSA approach applicable to the criteria that includes 
the definition of objectives, scenario development, quantification and uncertainty analysis, interpretation 
of results, and documentation. The purpose of the technical evaluation is to confirm that the PSA model 
properly identifies the LOC/LOM estimates for the Commercial Provider’s CTS. 

4.4 Software Safety and Assurance 

In addition to the software qualification/acceptance activity, the Commercial Provider shall be 
responsible for the management of software safety throughout the CTS life-cycle. To this end, the 
Commercial Provider shall define a Software Safety Plan to document safety-critical software 
determination processes, management, software development and analysis methods (including support 
of hazard analyses and production of hazard reports), implementation and test, and operational use. 

4.4.1 Software Safety Data Products 

In support of CTS certification, the products shall include, at a minimum, the following: 

• Software Safety Plan, processes, and data. 

• Software safety-criticality evaluation results. 

• Analysis results that identified hazards associated with a specific requirement, design concept, or 
operation have been evaluated for software’s contribution to the hazard cause and verification that 
controls or mitigations have been incorporated. 

• Commercial Provider software acquisition documentation. 

4.4.2 Software Safety NASA Focus Areas 

NASA’s review of software safety will focus on the following: 

• Review of the Software Safety Plan for adequacy and completeness. 

• Validation of models or simulations used to make critical decisions that impact human safety. 

• Methods and procedures used for verification, validation, and uncertainty assessments. 

• Review of analysis results that identify software as a contributor to a hazard cause and the controls 
or mitigations that have been incorporated. 

4.5 Integrated Safety Review Process 

Safety is the responsibility of the Commercial Provider for systems and operations developed as part of 
the CTS. The compliance with safety requirements is formally executed as a subset of CTS certification. 
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This will be done in eonjunetion with the development review proeesses established in Section 3.7 of 
this document. The review of certification for safety requires that a unique perspective be applied to the 
development of the systems very early in the development process. NASA accomplishes this through a 
phased review and approval process anchored to major milestones and through insight into the decisions 
affecting safety and engagement of the engineering community in decisions affecting risk. 

The foundation for safety certification is a comprehensive integrated risk analysis utilizing tools, such as 
hazard analysis, failure mode effects analysis, and PSA. These tools work together to influence the 
decisions surrounding risk. NASA must understand what methodologies are applied within a 
Commercial Provider’s development and operational programs to ensure the foundation is consistent 
with expectations for identification and resolution of safety risk. 

The Commercial Provider’s integrated safety analysis shall be an integral part of the CTS certification. 
The hazard analysis is a critical piece of the safety analysis. NASA gains a significant amount of insight 
through the incremental review of the Commercial Provider’s hazard analysis and shall have the 
Commercial Provider conduct, submit and present its hazard analysis and reports to NASA for review 
and approval. NASA will utilize a phased safety review process to assess the design and operations of 
the CTS through incremental reviews anchored to major CCP milestones. This process evaluates the 
associated hazards and the controls implemented by the Commercial Provider in its CTS design to 
ensure all hazards and causes have been identified and adequately controlled (reference SSP 30599 and 
SSP 30309). In the timeframe of the Milestone Reviews, the associated hazard reports shall be 
presented to a NASA board and board member participation will be determined by the content in the 
safety analysis defined by one of the two following stakeholder areas: 

a. Occupant safety throughout all mission phases, including docked operations as it relates to 
hazards created by the CTS vehicle (stakeholder: CCP; CCP Review). 

b. Integrated hazards created by the combined operations during the Rendezvous, Proximity 
Operations, Docking and Undocking (RPODU) phase (stakeholders: CCP/ISS; CCP/ISS joint 
review). 

The phased safety review process is meant to ensure the completeness of the Commercial Provider’s 
hazard analysis and to provide opportunities for NASA and the Commercial Provider to participate in 
real-time value-added risk discussions that are beneficial to both NASA and the Commercial Provider. 
NASA will look to the Commercial Provider to present its analysis at these incremental milestone 
reviews. The Commercial Provider shall provide the assurance that all hazards and hazard causes 
inherent in the design and operations are identified; adequate control strategies have been employed to 
control each of the hazards and causes; and to detail the methods utilized to verify all hazard controls. 
Significant risks identified as a result of the hazard analysis and discussions will be forwarded to CCP 
and ISS Program Management. 

The board responsible for conducting the phased safety reviews of the Commercial Provider’s hazard 
analysis is chartered to meet the following goals: 

a. Determine compliance to relevant requirements. 

b. Evaluate the residual safety risk from meeting established requirements. 

c. Identify unique safety risk not otherwise captured by the requirements. 

d. Evaluate the derived safety requirements from the hazard analysis. 

e. Establish the overall risk of the system. 

f. Eoster value-added risk discussion with the Commercial Provider 
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The CCP phased safety reviews shall be conducted in three phases per SSP 30599. Phase I will be 
conducted in a timeframe that is consistent with a Preliminary Design Review (PDR) level of maturity. 
Phase II will be conducted in a timeframe that is consistent with a Critical Design Review (CDR) level 
of maturity. Phase III will be conducted in a timeframe that is consistent with a DCR level of maturity. 
Phase III includes the incremental closure of all the verification activities identified in the hazard reports 
post DCR. The Commercial Provider shall closeout all verifications deemed required for crewed flight 
test prior to the FTRR and all remaining verifications prior to the the ORR milestone. At the closeout of 
all verifications, the hazard report will be approved by the board and a letter certifying completion of the 
Phase III review will be signed and recorded. 

The scope of the safety reviews is to determine, given a Commercial Provider’s solution, that analysis 
was conducted to the appropriate level to surface key risks in the design and whether risks exist beyond 
the requirements established for certification. The results of the safety reviews are intended to inform 
the design and program reviews and establish the level of acceptable risk for the system. Any 
requirement non-compliances or accepted risk discussions outside the delegated authority of the NASA 
board responsible for reviewing the provider’s safety analysis will be forwarded to the CCP/ISS 
Program Boards for acceptance. 

4.6 Radioactive Material Usage 

The Commercial Provider shall be responsible for characterizing and reporting potential risks associated 
with a planned launch of radioactive materials into space on launch vehicles and spacecraft, during 
normal or abnormal flight conditions. Procedures and levels of review and analysis required for nuclear 
launch safety approval vary with the quantity of radioactive material planned for use and potential risk 
to the general public and the environment. Details of the nuclear launch safety approval process can be 
found in NPR 8715.3, Chapter 6. 

4.7 Human Error Analysis 

The Commercial Provider shall conduct a human error analysis for all mission phases to include 
nominal operations and those operations planned for response to system failures. The results will be 
incorporated into design and operational procedures to minimize the likelihood and negative effects of 
human error. 

4.7.1 Human Error Analysis Data Products 

The Commercial Provider shall develop a summary of how the human error analysis (to date) was used 
to: 

• Understand and manage potential catastrophic hazards which could be caused by human errors. 

• Understand the relative risks and uncertainties within the system design. 

• Influence decisions related to the system design, operational use, and application of testing. 

4.7.2 Human Error Analysis NASA Focus Areas 

NASA will evaluate the Human Error Analysis (HEA) to ensure it identifies potential human actions, 
human errors, hazards, and process failure modes; models human performance, and qualitatively 
characterizes how human error affects the system. The HEA should be used iteratively to make design 
trades and decisions for all mission phases, including operations both within the space system and 
control centers. Eor all nominal operations, including responses to system failures and abort scenarios. 
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the HEA will 1) identify inadvertent operator actions which would cause a catastrophic event and 
determine the appropriate level of tolerance; 2) identify other types of human error that would result in a 
catastrophic event; and 3) ensure application of the appropriate error management. 

4.8 Human Systems Integration 

The Commercial Provider shall establish a Human Systems Integration (HSI) strategy to ensure that 
humans and their needs, as well as their capabilities and limitations, are considered during the design 
and operation of the system. 

4.8.1 Human Systems Integration Data Products 

The HSI products shall include, at a minimum, the following: 

• A master task list including identification of nominal and critical tasks necessary for established 
mission objectives and concepts of operation. 

• Task analyses in support of the CCT-REQ-1 130 requirements that include evaluations of 
functional allocation for manual and automated crew and system tasks; expected utilization of 
operator capabilities to execute the mission, prevent aborts, and prevent catastrophic events; and 
evaluations of the crew's ability to accomplish mission critical and volume driving tasks. 

• A summary of crew workload and usability evaluations that demonstrates the impact of crew 
interface designs on human error and total human-system performance. 

• Human-in-the-loop testing strategy in support of planned human test and demonstration activities. 

4.8.2 Human Systems Integration NASA Focus Areas 

Supporting documentation will be assessed to ensure that human capabilities and limitations have been 
adequately considered. Focus areas include: 

• Evidence of human capability and limitations considerations as part of trade studies/analysis 
activities. 

• Human-in-the-loop test planning and results. 

• Task analysis to identify sequencing (e.g., parallel, serial, multiple crew/systems, individual 
crew/systems) of tasks, time related data (e.g., duration, frequency, limits), task priority, and 
volume or architecture drivers. 

• Evaluation of how crew interface workload and usability impacts human error and total human- 
system performance. 

• Evaluation of the crew's ability to effectively accomplish mission critical and physical 
accommodation driving tasks. 

4.9 Margin Management 

The Commercial Provider shall develop an integrated vehicle performance and design margin allocation 
strategy, and implement it through a detailed set of vehicle stage, system, subsystem, and component 
performance requirements and specifications. The Commercial Provider’s strategy, backed up by an 
assessment of its integrated design approach, will identify and define the appropriate levels of design or 
performance margin needed at the vehicle stage, system, subsystem, and/or component level, and 
address uncertainties and the expected variations in vehicle manufacturing, operational performance, 
and/or operational environments. Consistent with this approach, as the Commercial Provider 
decomposes and flows down higher-level CTS requirements, the Commercial Provider will implement 
its strategy by clearly identifying and allocating the appropriate amount of margin into its approved 
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Stage, system, subsystem, and/or component requirements for the respective hardware and software 
designs. 

4.9.1 Margin Management Data Products 

The Margin Management Plan shall include, at a minimum, the following: 

• A set of critical system resources (e.g., mass, propellant, power) that need to be managed in order 
for the design to meet its requirements. 

• A definition of how margin is calculated for each resource. 

• An assessment of operating margin, growth allowance, and program manager’s reserve for each 
parameter. 

• A margin specification at each development milestone. 

• A Margin Management Report at each development milestone that consists of the current basic 
resource estimate and margin of each resource. 

4.9.2 Margin Management NASA Focus Areas 

Supporting documentation will be assessed to ensure that a comprehensive margin management strategy 
is being employed. Focus areas include: 

• Closed-loop process between spacecraft and launch vehicle performance analysis with adequate 
margins to protect for production and operation variability and evidence of margin’s utilization in 
the design analysis. 

• Traceability of managed performance parameters to the system measures of effectiveness (e.g., 
payload mass, consumable reserves) and design standards. 

• Integration of margin management with the risk process to implement correction when limits are 
exceeded. 
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5.0 Test and Verification 

This section includes hardware and software qualification and acceptance test programs, integrated and 
end-to-end test of flight hardware and software, ground systems test planning, vehicle performance 
management planning, and flight test planning. This may be accomplished through a series of 
demonstrations and joint reviews. More information on V&V as part of certification can be found in 
Section 7. 

5.1 Qualification and Acceptance Test Planning 

5.1.1 Qualification and Acceptance Test Data Products 

In support of CTS certification, the products shall include, at a minimum, the following: 

• Qualification and acceptance documentation and supporting data. 

o Test plans, test reports, and requirements traceability/management, 
o Test configurations and deviations, 
o Qualification margins and derivations. 

o Environments specified and data used in development (e.g., acoustic, shock, etc.). 

• Software Development Plan, verification results, and peer review signoff. 

5.1.2 Qualification and Acceptance Test NASA Focus Areas 

NASA will assess documentation in support of qualification and acceptance testing. NASA will focus 
on the following: 

• Qualification and acceptance documentation and associated reports. 

• Test fidelity and completeness. 

• Validated models and/or analysis used. 

• Requirements traceability /management. 

• Performance requirements and margin analysis. 

• Software development environment, tools, and adherence to the development process. 

• Mapping of system. Computer Software Component (CSC), and interface requirements to 
software design and test. 

5.2 End-to-End Test 

The Commercial Provider is responsible for performing, tracking, and recording CTS flight hardware 
and software integration, test, and checkout. This includes facility integration for hardware and 
software. 

5.2.1 End-to-End Test Data Products 

In support of CTS certification, products shall include, at a minimum, the following: 

• Test procedures, non-conformance, and failure analysis. 

5.2.2 End-to-End Test NASA Focus Areas 

NASA will perform assessments to determine if documentation, evaluation, and anomaly resolution 
during integration, test, and checkout is adequate. Detailed expectations for facility integration standards 
are found in CCT-STD-1 150. 
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5.3 Flight Test 

The Commercial Provider shall develop and implement a flight test program as part of the V&V effort. 
This includes vehicle performance management and margin. Flight test objectives address risk 
reduction and validation needs. As flight hardware and software continues to mature throughout 
development, flight test objectives and the associated strategy will be updated. 

Decision criteria for legitimate flight test objectives satisfy at least one of the following: 

a. Ground testing is not sufficient to adequately test the objective. 

b. Significant risk exists after all ground testing and analysis is complete. 

c. Flight test is the only method to achieve validation of the objective. 

The flight test program shall include a crewed flight to the ISS. This minimally crewed flight shall include 
a NASA crew, dock with the ISS, remain docked for a sufficient duration to check-out ISS interfaces, and 
then return to a supported landing site. 

A contractor-led Joint Test Team (JTT) (reference CCT-PLN-1 100) shall conduct crewed test flights. 

5.3.1 Flight Test Data Products 

In support of CTS certification, the flight test program shall address the test objectives in Table 7-1 that 
meet the criteria for flight test. 

5.3.2 Flight Test NASA Focus Areas 

NASA will review the flight test program objectives and detailed test results for certification. 

5.4 Joint ISS Visiting Vehicle Integration, Verification, and Test Planning 

The ISS Program and the CCP will work with the Commercial Provider to negotiate an ISS Visiting 
Vehicle Joint Integration, Verification, and Test Plan (JIVTP). This test plan will define the steps, 
planning agreements, and products to be completed for joint ISS Visiting Vehicle requirement 
verification, execution, and closure. It also identifies organizational roles, responsibilities, and 
verification ownership. 
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6.0 Production and Operations Validation and Verification 

The Commercial Provider shall develop and implement an approach for the management and control of 
processes for production, assembly, integration, launch and mission planning, execution and recovery. 
Production and operations can and do generally overlap. Production requirements still apply to those 
final vehicle assembly steps, just as operational requirements apply to any operational activities. 

The Commercial Provider shall define, manage, validate, and implement an end-to-end flight and test 
readiness process to include processing and operating plans to execute launch, mission, and recovery 
activities. 

6.1 Production Control 

The Commercial Provider shall establish and maintain an approach to adequately verify production 
hardware/software. 

6.1.1 Production Control Data Products 

In support of CTS certification, documents and data records describing or developed during the 
associated processes shall include, at a minimum, the following: 

• Manufacturing, fabrication, storage, and transportation processes which comply with design. 

• Provide documentation to clearly show how production related hazard controls, identified through 
the safety review process, have been flowed down into production requirements and can be traced 
to implementation. 

• Inventory acceptance process and records to verify that incoming parts and materials comply with 
all design drawings and specifications and include required materials certification data. 

• Inventory control processes and records that ensure parts and materials are properly warehoused in 
accordance with materials control and storage requirements, and that shelf life requirements are 
properly observed. 

• Inventory assignment/distribution process and records which provide adequate control and 
traceability of critical parts and materials from the source to the final “as built” configuration. 

• Implementation of non-conformance identification, tracking, and corrective action with 
verification that issues are returned to print or accepted as a design change through the FRR 
process. 

• Provide documentation to clearly show how tooling and equipment used in the manufacture and 
test of flight hardware is verified to meet all production requirements and tolerances. 

• Production support processes for metrology and other critical production support activities and 
related production records to verify production processes and equipment are maintained within 
established limits. 

• Assembly/integration and test plans for subsystem, system, stage, and vehicle. 

• Periodic audits to verify compliance. 

6.1.2 Production Control NASA Focus Areas 

NASA will perform assessments to determine if the processes provide adequate documentation and 
completeness, which includes the evaluation of the Commercial Provider’s compliance with these 
processes. In addition to certification, NASA will verify that key performance parameters are trended, 
evaluated, and understood flight-to-fiight. 
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6.2 Operations Planning 

6.2.1 Operations Planning Data Products 

Operations products shall include, at a minimum, the following: 

• The Commercial Provider shall develop operations processes and products consistent with CTS 
design limitations. Operations processes shall define methods to develop, validate, and certify the 
operations products and facilities. Operations products shall include: mission manifesting; flight 
design; ground operations procedures supporting nominal and off-nominal operations, mission 
controller/flight crew procedures supporting nominal and off-nominal scenarios while in-flight, 
nomenclature definition, vehicle and crew timelines, ground monitoring/control systems, and 
flight rules. 

6.2.2 Operations Planning NASA Focus Areas 

NASA will verify the Commercial Provider meets the intent of CCT-STD-1 150, Section 3. 

6.3 Operations Training 

6.3.1 Operations Training Data Products 

Operations products shall include, at a minimum, the following: 

• The Commercial Provider shall develop a training program for personnel having safety critical or 
mission critical roles. This training program shall include simulation training for flight crew and 
mission controller personnel that closely mimics the conditions that will be seen during flight and 
address nominal and off-nominal scenarios. The training program shall also define standards for 
non-critical roles, including instructors and lessons. Personnel with safety or mission critical roles 
include mission designers, assembly/integration/testing and launch engineers, technicians and 
quality control personnel, mission and ground controllers, all flight crew, and recovery personnel. 

6.3.2 Operations Training NASA Focus Areas 

• NASA will verify the Commercial Provider meets the intent of CCT-STD-1 150, Section 5. 

6.4 Operations Execution 

6.4.1 Operations Execution Data Products 

Operations products shall include, at a minimum, the following: 

• The Commercial Provider shall develop a mission execution process addressing operational 
communication plans, operational management plans, realtime analyses, and contingency action 
plans. This includes defining mission authority (provider led, interfaces to NASA led, and joint 
decision making), which allows for informed decision-making and risk management. The 
associated CTS Mission Management Process is addressed in CCT-PLN-1 100. 

6.4.2 Operations Execution NASA Focus Areas 

NASA will verify the Commercial Provider meets the intent of CCT-STD-1 150, Section 6. 
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6.5 Operations Review Process 

6.5.1 Operations Review Process Data Products 

Operations products shall include, at a minimum, the following: 

• The Commercial Provider shall develop a ground processing, real-time, and post- flight review 
process to validate the CTS is performing as predicted and operating within design limitations. 
Ground processing review shall include a process that tracks and resolves anomalies, captures 
potential process improvements, and lessons learned to improve and inform future ground 
operations and CTS design changes. Real-time review process shall analyze and assess in-flight 
anomalies and CTS performance such that mission execution can continue safely. The post-flight 
review process shall include debriefing the flight crew and operations personnel. 

6.5.2 Operations Review Process NASA Focus Areas 

NASA will verify the Commercial Provider meets the intent of CCT-STD-1 150, Section 7. 
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7.0 Certification Plan Overview 

The Commercial Provider, with CCP approval, shall define, control, and execute an end-to-end 
Certification Plan per Appendix C. The provided Certification Plan defines an integrated strategy for 
certification of the complete CTS and defines a structured and organized approach for implementing the 
strategy. Since certification is a progressive process and is highly sensitive to the order of execution, the 
certification strategy will clearly define the order of execution, with a schedule and critical path clearly 
outlined. The Certification Plan will define the V&V methods for all CTS technical requirements, 
including the requirements which result from the necessary decomposition and flow down of higher 
level CTS requirements to the appropriate level. CTS requirements V&V includes those requirements 
established to control critical hazards. The Commercial Provider shall deliver a V&V plan per 
Appendix D. NASA will approve the V&V Plan which includes all NASA technical requirements in 
CCP-REQ-1 130 and SSP 50808, and all Commercial Provider decomposed or derived requirements. 
Although NASA will only verify compliance of the NASA technical requirements in CCP-REQ-1 130 
and SSP 50808, NASA will review data supporting these lower level requirement closures. All “meets 
the intent” requirements are applied to the CTS, as described in Section 4.1 of this document for 
alternate standards and CCT-REQ- 1 130, Section 3.10 for human health, medical, and performance. 
Complete execution of the Certification Plan will ultimately provide the objective evidence necessary to 
verify compliance with all design and performance requirements governing the capability and 
performance of all critical systems, subsystems, and the integrated CTS. Where the Certification Plan 
includes validation, verification, or demonstration of design requirements, system performance, or 
accuracy of analytical models through test (including test flights), the Commercial Provider shall 
develop a test plan. The plan would document test objectives with linkage to specific requirements that 
are verified by the test. Eor flight tests, the test plan shall require NASA approval. 

Prior to the first EEO crewed test flight, the flight test readiness process will include a DCR of 
applicable elements from completed CTS Certification Milestones (for an interim CTS certification) and 
an ETRR. The DCR will formally document the configuration baseline (hardware, software, and 
processes used in design, production, and operations) and the conditions under which the CTS is 
certified (performance, fabrication and operational environments, constraints). Eollowing the CCP's 
concurrence with the Commercial Partner's determination of flight readiness, the CCP will develop a 
recommendation for flight readiness to be presented at the NASA ETRR. The purpose of this review is 
request approval to proceed to launch countdown for a mission that transports NASA crew and to 
document the formal acceptance of risk by NASA and the Commercial Partner. Upon successful 
completion of each ETRR and closure of open work, NASA will grant CTS Certification of Elight Test 
Readiness (CoETR) for the flight test mission. 

Milestone Reviews will be utilized to gain CCP concurrence of the progress toward CTS certification. 
The form of the CTS Certification Data Package is a compilation of pertinent documents. The package 
collectively illustrates, with supporting evidence, that the system has met the technical requirements and 
is safe to carry NASA crew to and from the ISS. The CTS Certification Data Package will be 
configuration managed (includes referenced/linked material) to clearly track changes made between 
milestones. 

The CTS Certification Data Package Content is summarized in the Table 7-1. Supporting data necessary 
to satisfy the certification elements is shown in the Data Products sections throughout this document; 
data is not limited to that shown. A listing of NASA focus-areas for review, examination, or analysis 
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show those that NASA plans to perform for satisfaction of certification. Implementation of NASA 
assessments may identify additional focus areas or in-house analysis necessitating additional provided 
data. 
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Table 7-1: CTS Certification Data Package Content 

CTS Certification Data Package content includes: 

Summary level CTS configuration for certification, with further access to all relevant detailed design and 
manufacturing data, which influences the final as-designed or as-huilt configuration. This includes access to 
configuration definition products, such as CAD models, design drawings, production records, waivers, or 
deviations. 

A description of each reference mission and operations plans for which CTS certification is being requested. 

Management systems and the related implementation and control process. 

System Safety to include hazard analysis and control process, human error analysis, software safety analysis, 
and crew survival strategy assessment. 

Quality management system, implementation, and controls. 

Integrated risk management and analysis. 

Manufacturing and Operations V&V Plan, including plans for verification of specific hazard controls 

implemented. 

Summary level flight hardware and software qualification and acceptance data, with further access to detailed 
relevant test plans and reports, analysis, analytical models, and inspection/demonstration related data. 

A combined ground and flight test program, with objectives linked to program development/validation needs. 
The test program, which may include a combination of component tests, subsystem tests, system tests, stage 
tests, vehicle tests, vehicle suborbital flight tests, vehicle orbital flight tests, landing, and abort system tests, 
must be robust enough to provide confidence in the aspects of the system design, and reduce uncertainties to 
adequately operate within its established design envelop, not adequately verified by any other method. The 
following test objectives will be addressed with detailed test results before NASA will certify the vehicle: 

• Verify all design and performance requirements not previously verified by another method. 

• V alidate the nominal performance of the system. 

• Validate the dynamic response characteristics of the system. 

• V alidate the structural integrity of the system. 

• Demonstrate the critical separation systems performance. 

• Demonstrate the entry, landing, and recovery systems. 

• Validate the critical system environments. 

• Bound critical performance uncertainties. 

• Demonstrate the abort system performance during critical phases of flight. 

• For ISS, demonstrate manual/automatic rendezvous, proximity operations, and docking systems 
(including abort and hold). 

• Demonstrate the critical ground and mission support systems. 

A summary of the end-to-end design certification process, with further access provided to the detailed design 
Certification Plan. The summary will identify V&V methods employed, general implementation approach, and 
summary results for the following (with links to the detailed results): 

• Certification of detailed CTS operational and design technical requirements. 

• Certification of CTS performance. 

• Certification of integrated human-system performance. 
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Appendix A: Acronyms 


Acronyms 

Phrase 

CBR 

Certification Baseline Review 

CCP 

Commercial Crew Program 

CDR 

Critical Design Review 

CERR 

Critical Event Readiness Review 

CM 

Configuration Management 

CoFTR 

Certification of Flight Test Readiness 

CSC 

Computer Software Component 

CIS 

Crew Transportation System 

DCR 

Design Certification Review 

DR 

Decommissioning Review 

DRM 

Design Reference Mission 

ERR 

Flight Readiness Review 

FTRR 

Flight Test Readiness Review 

GIDEP 

Government Industry Data Exchange Program 

HEA 

Human Error Analysis 

HSI 

Human Systems Integration 

ICDR 

Integrated Critical Design Review 

IPDR 

Integrated Preliminary Design Review 

ISS 

International Space Station 

JIVTP 

Joint Integration, Verification, and Test Plan 

JTT 

Joint Test Team 

LCC 

Faunch Commit Criteria 

LEO 

Fow Earth Orbit 

LOC 

Foss of Crew 

LOM 

Foss of Mission 

MMT 

Mission Management Team 

MPCP 

Mishap Preparedness and Contingency Plan 

MRB 

Material Review Board 

MUA 

Material Usage Agreement 

NASA 

National Aeronautics and Space Administration 

ORR 

Operations Readiness Review 

PCB 

Program Control Board 

PDR 

Preliminary Design Review 

PEAR 

Post-Flight Assessment Review 

PLAR 

Post-Faunch Assessment Review 

PMP 

Project Management Plan 

PSA 

Probabilistic Safety Analysis 

RPODU 

Rendezvous, Proximity Operations, Docking and Undocking 

SAR 

System Acceptance Review 

SDR 

System Definition Review 

SIR 

System Integration Review 
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SORR 

Stage Operational Readiness Review 

SRR 

System Requirements Review 

TBD 

To Be Determined 

V&V 

Verification and Validation 
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Appendix B: 1100 Series Definitions 


Term 

Definition 

Abort 

The forced early return of the crew when failures or the existence of 
uncontrolled catastrophic hazards prevent continuation of the mission profile 
and a return is required for crew survival. 

Ambient Light 

Any surrounding light source (existing lighting conditions). This could be a 
combination of natural lighting (e.g., sunlight, moonlight) and any artificial 
light source provided. For example, in an office there would be ambient light 
sources of both the natural sunlight and the fluorescent lights above (general 
office lighting). 

Analysis 

A verification method utilizing techniques and tools, such as math models, 
prior test data, simulations, analytical assessments, etc. Analysis may be used 
in lieu of, or in addition to, other methods to ensure compliance to 
specification requirements. The selected techniques may include, but not be 
limited to, task analysis, engineering analysis, statistics and qualitative 
analysis, computer and hardware simulations, and analog modeling. Analysis 
may be used when it can be determined that rigorous and accurate analysis is 
possible, test is not cost effective, and verification by inspection is not 
adequate. 

Annunciate 

To provide a visual, tactile, or audible indication. 

Approach Ellipsoid 

A 4 X 2 X 2 km ellipsoid, centered at the ISS center of mass, with the long axis 
aligned with the V-Bar. 

Approach Initiation 

The approach initiation is the first rendezvous maneuver during a nominal 
approach that is targeted to bring the vehicle inside the ISS approach ellipsoid 
(AE). 

Ascent 

The period of time from initial motion away from the launch pad until orbit 
insertion during a nominal flight or ascent abort initiation during an abort. 

Ascent Abort 

An abort performed during ascent, where the crewed spacecraft is separated 
from the launch vehicle without the capability to achieve the desired orbit. 
The crew is safely returned to a landing site in a portion of the spacecraft 
nominally used for entry and landing/touchdown. 

Automated 

Automatic (as opposed to human) control of a system or operation. 

Autonomous 

Ability of a space system to perform operations independent from any ground- 
based systems. This includes no communication with, or real-time support 
from, mission control or other ground systems. 

Backout 

During mission execution, the coordinated cessation of a current activity or 
procedure and careful return to a known, safe state. 

Breakout 

Any action that interrupts the nominally planned free flight operations that are 
intended to place the spacecraft outside of a threatening location to the 
cooperative vehicle. This may be an automated or manually executed action. 
For the ISS, the area within which a vehicle poses a threat to ISS is called the 
Approach Ellipse. 

Cargo 

An item (or items) required to maintain the operability of the ISS and/or the 
health of its crew, and that must be launched and/or returned. 
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Catastrophic Event 

An event resulting in the death or permanent disability of a ground closeout or 
flight crewmember, or an event resulting in the unplanned loss/destruction of a 
major element of the CTS or ISS during the mission that could potentially 
result in the death or permanent disability of a flight crewmember. 

Catastrophic Hazard 

A condition that could result in the death or permanent disability of a ground 
closeout or flight crewmember, or in the unplanned loss/destruction of a major 
element of the CTS during the mission that could potentially result in the 
death or permanent disability of a flight crewmember. 

Command 

Directive to a processor or system to perform a particular action or function. 

Communications 

Coverage 

Communication coverage is defined as successful link availability for nominal 
ascent and entry trajectories. 

Communications 

Link 

A communication link is established, whereas the received commands and 
voice from the CVCC to the spacecraft and the transmitted health and status 
data, crew health and medical related data, voice, telemetry, and transmitted 
launch vehicle and spacecraft engineering data are received. 

Consumable 

Resource that is consumed in the course of conducting a given mission. 
Examples include propellant, power, habitability items (e.g., gaseous oxygen), 
and crew supplies. 

Continental U.S. 
Airport 

An airport within the continental United States capable of accommodating 
executive jet aircraft similar to the Gulfstream series aircraft. 

Contingency 

Provisioning for an event or circumstance that is possible but cannot be 
predicted with certainty. 

Contingency 
Spacecraft Crew 
Support (CSCS) 

CSCS is declared when the spacecraft crew takes shelter on the ISS because 
the spacecraft has been determined to be unsafe for reentry. In this case, a 
rescue mission is required to return the spacecraft crew safely. 

Crew 

Any human onboard the spacecraft after the hatch is closed for flight or 
onboard the spacecraft during flight. 

Crew Transportation 
System (CTS) 

The collection of all space-based and ground-based systems (encompassing 
hardware and software) used to conduct space missions or support activity in 
space, including, but not limited to, the integrated space vehicle, space-based 
communication and navigation systems, launch systems, and mission/launch 
control. 

Critical Decision 

Those technical decisions related to design, development, manufacturing, 
ground, or flight operations that may impact human safety or mission success, 
as measured by defined criteria. 

Critical Fault 

Any identified fault of software whose effect would result in a catastrophic 
event or abort. 

Critical Function 

Mission capabilities or system functions that, if lost, would result in a 
catastrophic event or an abort. 

Critical Hazard 

A condition that may cause a severe injury or occupational illness. 

Critical Software 

Any software component whose behavior or performance could lead to a 
catastrophic event or abort. This includes the flight software, as well as 
ground-control software. 

Critical 

Software/Firmware 

Software/Firmware that resides in a safety-critical system that is a potential 
hazard cause or contributor, supports a hazard control or mitigation, controls 
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safety-critical functions, or detects and reports 1) fault trends that indicate a 
potential hazard and/or 2) failures which lead to a hazardous condition. 

Critical (sub) System 

A (sub)system is assessed as critical if loss of overall (sub)system function, or 
improper performance of a (sub)system function, could result in a catastrophic 
event or abort. 

CTS Certification 

CTS certification is the documented authorization granted by the NASA 
Associate Administrator that allows the use of the CTS within its prescribed 
parameters for its defined reference missions. CTS certification is obtained 
prior to the first crewed flight (for flight elements) or operational use (for 
other systems). 

CTS Element 

One component part of the overall Crew Transportation System. For example, 
the spacecraft is an element of the CTS. 

Deconditioned 

“Deconditioned” defines a space crewmember whose physiological 
capabilities, including musculoskeletal, cardiopulmonary, and neurovestibular, 
have deteriorated as a result of exposure to micro-gravity and the space 
environment. It results in degraded crewmember performance for nominal 
and off-nominal mission tasks. 

Definitive Medical 
Care 

An inpatient medical care facility capable of comprehensive diagnosis and 
treatment of a crewmember's injuries or illness without outside assistance — 
capable of care of Category I, II, and III trauma patients. Usually a Level I 
trauma center, as defined by the American College of Surgeons. 

Demonstration 

A method of verification that consists of a qualitative determination of the 
properties of a test article. This qualitative determination is made through 
observation, with or without special test equipment or instrumentation, which 
verifies characteristics, such as human engineering features, services, access 
features, and transportability. Human-in-the-loop demonstration is performed 
for complex interfaces or operations that are difficult to verify through 
modeling analysis, such as physical accommodation for crew ingress and 
egress. Demonstration requirements are normally implemented within a test 
plan, operations plan, or test procedure. 

Docking 

Mating of two independently operating spacecraft or other systems in space 
using independent control of the two vehicles' flight paths and attitudes during 
contact and capture. Docking begins at the time of initial contact of the 
vehicles' docking mechanisms and concludes when full rigidization of the 
interface is achieved. 

Downrange Abort 
Exclusion Zone 

A geographical region of the North Atlantic Ocean to be avoided for water 
landings during ascent aborts for ISS missions due to rough seas and cold 
water temperatures. The region is depicted in Figure B-1. The St. John’s 
abort landing area includes the waters within 200 nmi range to St John’s 
International Airport (47° 37’ N, 52° 45’ W). The Shannon abort landing area 
includes the waters within 200 nmi range to Shannon International Airport 
(52° 42’ N, 8° 55’ W). Note; The northern and southern bounds of the DAEZ 
in the ISS Mission DAEZ figure are notional, as these bounds are limited only 
by steering and cross-range performance along the ascent trajectory and are 

not formally constrained. 
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Downrange Abort 
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Emergency 

An unexpected event or events during a mission that requires immediate 
action to keep the crew alive or serious injury from occurring. 

Emergency Egress 

Capability for a crew to exit the vehicle and leave the hazardous situation or 
catastrophic event within the specified time. Flight crew emergency egress 
can be unassisted or assisted by ground personnel. 

Emergency 
Equipment and 
Systems 

Systems (ground or flight) that exist solely to prevent loss of life in the 
presence of imminent catastrophic conditions. Examples include fire 
suppression systems and extinguishers, emergency breathing devices, Personal 
Protective Equipment (PPE) and crew escape systems. Emergency systems 
are not considered a leg of failure tolerance for the nominal, operational 
equipment and systems, and do not serve as a design control to prevent the 
occurrence of a catastrophic condition. 

Emergency Medical 
Services 

Services required to provide the crewmembers with immediate medical care to 
prevent loss of life or aggravated physical or psychological conditions. 

End of Mission 

The planned landing time for the entire mission, including the nominal pre- 
flight agreed to docked mission duration. 

Entry 

The period of time that begins with the final commitment to enter the 
atmosphere from orbit or from an ascent abort, and ending when the velocity 
of the spacecraft is zero relative to the landing surface. 

Entry Interface 

The point in the entry phase where the spacecraft contacts the atmosphere 
(typically at a geodetic altitude of 400,000 feet), resulting in increased heating 
to the thermal protection system and remainder of the spacecraft exterior 
surfaces. 

External Launch 
Constraint 

Conditions outside the CTS provider's control, such as range weather 
constraints or faults with range or ISS assets, or weather constraints affecting 
abort rescue forces capabilities. Range weather examples include ability to 
visually monitor the initial phases of the launch for range safety, etc. Non- 
weather range constraints include range safety radar and telemetry systems 
availability, flight termination systems readiness, clearance of air, land, sea, 
etc. 

Failure 

Inability of a system, subsystem, component, or part to perform its required 
function within specified limits. 
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Failure Tolerance 

The ability to sustain a certain number of failures and still retain capability. A 
component, subsystem, or system that cannot sustain at least one failure is not 
considered to be failure tolerant. 

Fault 

An undesired system state and/or the immediate cause of failure (e.g., 
maladjustment, misalignment, defect, or other). The definition of the term 
“fault” envelopes the word “failure,” since faults include other undesired 
events, such as software anomalies and operational anomalies. Faults at a 
lower level could lead to failures at the higher subsystem or system level. 

Flight Configuration 

The arrangement, orientation and operational state of system elements and 
cargo, vehicle cabin layout, flight software mode, and crew complement, 
clothing and equipment in the applicable mission or ground phase necessary in 
verification to evaluate the attributes called out in the requirement. 

Flight Hardware 

All components and systems that comprise the internal and external portions 
of the spacecraft, launch vehicle, launch abort system, and crew worn 
equipment. 

Flight Operations 

All operations of the integrated space vehicle and the crew and ground teams 
supporting the integrated space vehicle from liftoff until landing. 

Flight Phase 

A particular phase or timeframe during a mission is referred to as a flight 
phase. The term “all flight phases” is defined as the following flight phases: 
pre-launch, ascent, onorbit free-flight, docked operations, deorbit/entry, 
landing, and post-landing. 

Flight 

Representative 

Description of a test-article used in verifications in which the attributes under 
evaluation are equivalent to the flight article. 

Example: Human-in-the-loop tests for spacecraft egress must use an 
equivalent cabin layout, seats and restraints, and hatch configuration and 
masses. However, the propulsion system does not need to be functional, as it 
is not under evaluation. 

Flight Rules 

Established redline limits for critical flight parameters. Each has pre-planned 
troubleshooting procedures with pre- approved decisions for expected 
troubleshooting results. 

Flight Systems 

Any equipment, system, subsystem or component that is part of the integrated 
space system. 

Flight Termination 

An emergency action taken by range safety when a vehicle violates 
established safety criteria for the protection of life and property. This action 
circumvents the vehicles’ normal control modes and ends its powered and/or 
controlled flight. 

Free Flight 
Operations 

Onorbit operations that occur when the spacecraft is not in contact with any 
part of the ISS. 

Ground Crew 

Operations personnel that assist the flight crew in entering the spacecraft, 
closing the hatch, performing leak checks, and working on the integrated 
space vehicle at the pad during launch operations. 

Ground Hardware 

All components and systems that reside on the ground in support of the 
mission, including the Commercial Vehicle Control Center, launch pad, 
ground support equipment, recovery equipment, facilities, and 
communications, network, and tracking equipment. 
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Ground Processing 

• The work required to prepare the launch vehicle and spacecraft for 

mission from final assembly/integration/test through launch and resumes 
after landing for recovery of crew and cargo. 

Ground Support 
Equipment 

Any non-flight equipment, system(s), ground system(s), or devices 
specifically designed and developed for a direct physical or functional 
interface with flight hardware to support the execution of ground production 
or processing. The following are not considered to be GSE: 

• Tools designed for general use and not specifically for use on flight 
hardware. 

Ground Support Systems that interface with GSE Eacilities. 

Habitable 

The environment that is necessary to sustain the life of the crew and to allow 
the crew to perform their functions in an efficient manner. 

Hazard 

A state or a set of conditions, internal or external to a system, that has the 
potential to cause harm. 

Hazard Analysis 

The process of identifying hazards and their potential causal factors. 

Health and Status 
Data 

Data, including emergency, caution, and warning data, that can be analyzed or 
monitored describing the ability of the system or system components to meet 
their performance requirements. 

Human Error 

Either an action that is not intended or desired by the human or a failure on the 
part of the human to perform a prescribed action within specified limits of 
accuracy, sequence, or time that fails to produce the expected result and has 
led or has the potential to lead to an unwanted consequence. 

Human Error 
Analysis (HEA) 

A systematic approach used to evaluate human actions, identify potential 
human error, model human performance, and qualitatively characterize how 
human error affects a system. HEA provides an evaluation of human actions 
and error in an effort to generate system improvements that reduce the 
frequency of error and minimize the negative effects on the system. HEA is 
the first step in Human Risk Assessment and is often referred to as qualitative 
Human Risk Assessment. 

Human-in-the-Loop 

Evaluation 

Human-in-the-loop evaluations involve having human subjects, which include 
NASA crewmembers as a subset of the test subject population, perform 
identified tasks in a representative mockup, prototype, engineering, or flight 
unit. The fidelity of mockups used for human-in-the-loop evaluations may 
range from low-fidelity, minimal representation, to high-fidelity, complete 
physical and/or functional representation, relevant to the evaluation. Ideally, 
the fidelity of human-in-the-loop mockups and tests increases as designs 
mature for more comprehensive evaluations. Eurther information on human- 
in-the-loop evaluations throughout system design can be found in JSC 65995 
CHSIP. 

Human- System 
Integration 

The process of integrating human operations into the system design through 
analysis, testing, and modeling of human performance, interface 
controls/displays, and human-automation interaction to improve safety, 
efficiency, and mission success. 

111 or Injured 

Refers to a crewmember whose physiological and/or psychological well-being 
and health has deteriorated as a result of an illness (e.g., appendicitis) or injury 
(e.g., trauma, toxic exposure) and requires medical capabilities exceeding 
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those available on the ISS and transportation to ground-based definitive 
medical care. Ill or injured crewmember performance for nominal and off- 
nominal mission tasks will be degraded. 

Inspection 

A method of verification that determines conformance to requirements by the 
use of standard quality control methods to ensure compliance by review of 
drawings and data. This method is used wherever documents or data can be 
visually used to verify the physical characteristics of the product instead of the 
performance of the product. 

Integrated 

Operations 

All operations starting at 90 minutes prior to the ISS Approach Initiation and 
lasting until the vehicle leaves the ISS Approach Ellipsoid on a non-return 
trajectory. 

Integrated Space 
Vehicle 

The integrated space vehicle consists of all the system elements that are 
occupied by the crew during the space mission and provide life support 
functions for the crew. The integrated space vehicle also includes all elements 
physically attached to the spacecraft during the mission. The integrated space 
vehicle is part of the larger space system used to conduct the mission. 

Landing 

The final phase or region of flight consisting of transition from descent to an 
approach, touchdown, and coming to rest. 

Landing Site 

Supported Landing Sites: A fully supported site on a Continental U.S. land 
mass or waters directly extending from the coast with CTS recovery forces on 
station at the time of landing. The landing site zone extends through 
nominally expected dispersions from the landing site point. 

Designated Primarv Landing Site - A sunnorted landing site-intended for 
landing at the time of spacecraft undock. 

Alternate Landing Site - A sunnorted landing site to which the snacecraft 
landing can be diverted in the event the deorbit bum is delayed. 

Unsupported Landing Sites: 

Emergencv Landing - Anv unsuoDorted site (land or water) arrived at due to 
critical failures that force immediate return and preclude landing at a 
designated primary or alternate landing sites. 

Launch Commit 
Criteria 

Established redline limits for critical launch parameters. Each has pre-planned 
troubleshooting procedures with pre- approved decisions for expected 
troubleshooting results. 

Launch Opportunity 

The period of time during which the relative position of the launch site, the 
ISS orbital plane, and ISS phase angle permit the launch vehicle to insert the 
spacecraft into a rendezvous trajectory with the ISS (northerly launches only 
due to range constraints). The ISS is in-plane with the Eastern Range 
approximately every 23 hours and 36 minutes. 

Launch Probability 

The probability that the system will successfully complete a scheduled launch 
event. The launch opportunity will be considered scheduled at 24 hours prior 
to the opening of the launch window. 

Launch Vehicle 

The vehicle that contains the propulsion system necessary to deliver the 
energy required to insert the spacecraft into orbit. 

Life-Cycle 

The totality of a program or project extending from formulation through 
implementation, encompassing the elements of design, development, 
verification, production, operation, maintenance, support, and disposal. 
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Loss of Crew 

Death or permanently debilitating injury to one or more crewmembers. 

Loss of Mission 

Loss of, or the inability to complete enough of, the primary mission 
objectives, such that a repeat mission must be flown. 

Maintenance 

The function of keeping items or equipment in, or restoring them to, a 
specified operational condition. It includes servicing, test, inspection, 
adjustment/alignment, removal, replacement, access, assembly/disassembly, 
lubrication, operation, decontamination, installation, fault location, calibration, 
condition determination, repair, modification, overhaul, rebuilding, and 
reclamation. 

Manual Control 

• The crew's ability to bypass automation in order to exert direct control 
over a space system or operation. For control of a spacecraft's flight path, 
manual control is the ability for the crew to affect any flight path within 
the capability of the flight control system. Similarly, for control of a 
spacecraft's attitude, manual control is the ability for the crew to affect 
any attitude within the capability of the flight/attitude control system. 

MCC-H Mission 
Authority 

• MCC-H has authority to make final decisions regarding spacecraft 
operations, including but not limited to Go/No-Go decisions and safety of 
flight and crew(s). 

• Beginning with either ISS integrated operations, or 30 minutes before the 
first required ISS configuration or crew activity in support of the 
spacecraft on rendezvous (e.g., ISS attitude maneuver, appendage 
configuration, USOS GPS configuration), whichever comes first. 

• Ending with either the end of ISS integrated operations, or when ISS is 
not required to maintain its configuration (e.g., ISS attitude, USOS GPS 
configuration, or appendages in a configuration) to support the spacecraft, 
whichever comes later. 

Applies anytime the spacecraft free-drift trajectory, including dispersions, is 

predicted to enter the ISS AE within the next 24 hours. 

Mission 

The mission begins with entry of the crew into the spacecraft, includes 
delivery of the crew to/from ISS, and ends with successful delivery of the 
crew to NASA after landing. 

Mission Critical 

Item or function that must retain its operational capability to assure no mission 
failure (i.e., for mission success). 

Operations 

Personnel 

All persons supporting ground operations or flight operations functions of the 
GTS. Examples of these personnel are listed below: 

Persons responsible for the production, assembly/integration/test, validation, 
and maintenance of flight hardware, production facilities, launch site facilities, 
operations facilities, or ground support equipment (GSE). Persons involved 
with supporting or managing the launch countdown, crew training, or mission 
during flight. Persons involved in post-flight recovery. 

Orbit 

This flight phase starts just after final orbit insertion and ends at the 
completion of the first deorbit bum. 

Override 

To take precedence over system control functions. 

Pad Abort 

An abort performed where the crewed spacecraft is separated from the launch 
vehicle while the launch vehicle remains on the launch pad. As a result, the 
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crewed spacecraft is safely transported to an area which is not susceptible to 
the dangers associated with the hazardous environment at the launch pad. 

Permanent Disability 

A non-fatal occupational injury or illness resulting in permanent impairment 
through loss of, or compromised use of, a critical part of the body, to include 
major limbs (e.g., arm, leg), critical sensory organs (e.g., eye), critical life- 
supporting organs (e.g., heart, lungs, brain), and/or body parts controlling 
major motor functions (e.g., spine, neck). Therefore, permanent disability 
includes a non-fatal injury or occupational illness that permanently 
incapacitates a person to the extent that he or she cannot be rehabilitated to 
achieve gainful employment in their trained occupation and results in a 
medical discharge from duties or civilian equivalent. 

Portable Fire 
Suppression System 

A system comprised of one or more portable handheld fire extinguishers and 
access ports. These access ports allow the user to discharge fire suppressant 
into enclosed areas with potential ignition sources. See also 3.10.12.2 Use of 
Hazardous Chemicals. 

Post-Landing 

The mission phase beginning with the actual landing event when the vehicle 
has no horizontal or vertical motion relative to the surface and ending when 
the last crewmember is loaded on the aircraft for return to JSC. 

Proximity 

Operations 

The flight phase including all times during which the vehicle is in free flight 
beginning just prior to Approach Initiation (AI) execution and ending when 
the vehicle leaves the Approach Ellipsoid (AE). 

Quiescent Docked 
Operations 

The state of the CTS spacecraft while it is docked to the ISS with hatches 
open and ISS services, as called out in SSP 50808, connected and operational. 
Erom this state, the vehicle can support immediate ingress and transition into 
safe haven in the case of an emergency. 

Recovery 

The process of proceeding to a designated nominal landing site, and retrieving 
crew, flight crew equipment, cargo, and payloads after a planned nominal 
landing. 

Reliability 

The probability that a system of hardware, software, and human elements will 
function as intended over a specified period of time under specified 
environmental conditions. 

Rendezvous 

The flight phase of executing a series of onorbit maneuvers to move the 
spacecraft into the proximity of its target. This phase starts with orbit 
insertion and ends just prior to the approach initiation. 

Safe Haven 

A functional association of capabilities and environments that is initiated and 
activated in the event of a potentially life-threatening anomaly and allows 
human survival until rescue, the event ends, or repair can be affected. It is a 
location at a safe distance from or closed off from the life-threatening 
anomaly. 

Safety 

The absence from those conditions that can cause death, injury, occupational 
illness, damage to or loss of equipment or property, or damage to the 
environment. 

Safety Critical 

A condition, event, operation, process, function, equipment or system 
(including software and firmware) with potential for personnel injury or loss, 
or with potential for loss or damage to vehicles, equipment or facilities, loss or 
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excessive degradation of the function of critical equipment, or which is 
necessary to control a hazard. 

Search and Rescue 

The process of locating the crew, proceeding to their position, and providing 
assistance. 

Software 

Computer instructions or data stored electronically. Systems software 
includes the operating system and all the utilities that enable the computer to 
function. Applications software includes programs that do real work for users, 
such as word processors, spreadsheets, data management systems, and 
analysis tools. Software can be Commercial Off-The-Shelf (COTS), 
contractor developed. Government furnished, or combinations thereof. 

Spacecraft 

All system elements that are occupied by the crew during the space mission 
and provide life support functions for the crew. The crewed element includes 
all the subsystems that provide life support functions for the crew. 

Space System 

The collection of all space-based and ground-based systems (encompassing 
hardware and software) used to conduct space missions or support activity in 
space, including, but not limited to, the integrated space vehicle, space-based 
communication and navigation systems, launch systems, and mission/launch 
control. 

Stowage 

The accommodation of physical items in a safe and secure manner in the 
spacecraft. This does not imply that resources other than physical 
accommodations (e.g., power, thermal, etc.) are supplied. 

Subsystem 

A secondary or subordinate system within a system (such as the spacecraft) 
that performs a specific function or functions. Examples include electrical 
power, guidance and navigation, attitude control, telemetry, thermal control, 
propulsion, structures subsystems. A subsystem may consist of several 
components (hardware and software) and may include interconnection items 
such as cables or tubing and the support structure to which they are mounted. 

System 

The aggregate of the ground segment, flight segment, and workforce required 
for crew rescue and crew transport. 

Task Analysis 

Task analysis is an iterative human-centered design process through which 
user tasks are identified and analyzed. It involves 1) the identification of the 
tasks and subtasks involved in a process or system, and 2) analysis of those 
tasks (e.g., who performs them, what equipment is used, under what 
conditions, the priority of the task, dependence on other tasks). The focus is on 
the human and how they perform the task, rather than the system. Results can 
help determine the hardware or software that should be developed/used for a 
particular task, the ideal allocation of tasks to humans vs. automation, and the 
criticality of tasks, which drive design decisions. Further information on task 
analysis can be found in JSC 65995 CHSIP, Section 4.1. 

Test 

A method of verification in which technical means, such as the use of special 
equipment, instrumentation, simulation techniques, and the application of 
established principles and procedures, are used for the evaluation of 
components, subsystems, and systems to determine compliance with 
requirements. Test will be selected as the primary method when analytical 
techniques do not produce adequate results; failure modes exist, which could 
compromise personnel safety, adversely affect flight systems or payload 
operation, or result in a loss of mission objectives. The analysis of data 
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derived from tests is an integral part of the test program and should not be 
confused with analysis as defined above. Tests will be used to determine 
quantitative compliance to requirements and produce quantitative results. 

Validation 

Proof that the product accomplishes the intended purpose. May be determined 
by a combination of test, analysis, and demonstration. 
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Appendix C: CTS Certification Plan 

The Provider shall deliver to NASA an end-to-end certification plan. The Certification Plan will capture 
the processes to be utilized and the activities performed to demonstrate that the integrated CTS design 
and the associated production and operation capabilities will achieve a NASA Certification. 

The Certification Plan will mature during the development process as additional details are generated 
consistent with the design maturation. By the end of the development process, the Certification Plan 
shall include, at a minimum, the following: 

1) A summary of the CTS configuration (e.g. product breakdown structure) planned for certification. 

2) A description of each reference mission and operations plans for which CTS certification is being 
requested (reference CCT-DRM-1 1 10, Section entitled NASA Design Reference Missions). 

3) A schedule of certification activities that includes the critical path and clearly defined certification 
milestones with NASA. 

4) The strategy for certifying flight and ground hardware/software including: qualification of the 
design; acceptance of flight systems; mission operations capabilities; and management processes. 

5) Identification of the physical resources (e.g. facilities, software, and simulators/mock-ups, and 
personnel for human-system performance testing) required to perform the V&V activities, as well as, 
the resource providers. 

6) The plan to certify and maintain critical skills (e.g. welding, mission operators) and train the CTS 
crew. 

7) A description of the deliverables that will be provided to NASA for verification and validation of 
manufacturing operations; for hardware and software qualification and acceptance test programs; 
environmental testing; and for the validation of models or simulations used to make critical decisions 
that may impact human safety and mission success. 

8) A description of the process to understand and accept residual risk due to hazards, waivers, non- 
compliances, etc. 

9) The list of products to be delivered for approval in the Certification Data Package as described in 
Table 7-1. 
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Appendix D: CTS Verification and Validation Plan 

The Verification and Validation Plan shall identify the verification and validation activities, methods, 
deliverables, and processes that result in objective evidence that all elements of the CTS design, 
production, and operation meet the performance requirements and accomplish the intended design 
reference mission (reference CCT-DRM-1 1 10, Section entitled NASA Design Reference Missions) when 
operated in the intended environment. 

The V&V Plan will mature during the development process as additional details are generated consistent 
with the design maturation. By the end of the development process, the Verification and Validation Plan 
shall include, at a minimum, the following: 

1) Provider’s requirement statements and associated verifications. 

2) Traceability from the Provider’s requirement to the CCT-REQ-1 130 and SSP 50808 requirement 
number. 

3) Detailed descriptions of the verification activities to be performed to complete the verifications for 
all requirements traceable to CCT-REQ-1 130, Section 3 requirements and in accordance with SSP 
50808, Section 4. The details shall include the configuration of the activities relative to the planned 
flight configuration, the specific activities to be performed including the lifecycle verification, 
qualification and flight unit acceptance test activities, the measurable criteria for determining if the 
activities successfully verified the requirement, identification and validation of critical models and 
analyses, and joint verifications with the ISS Program as required in SSP 50808, Section 4. 

4) Detailed descriptions of the activities to be performed to complete validation of the CTS. The 
details shall include the configuration of the activities relative to the planned flight configuration, the 
specific activities to be performed, and the measurable criteria for determining if the activities 
successfully validated the CTS. 

5) Schedule of V&V activities and the products to be delivered and made available to NASA. 

6) Manufacturing and operations V&V plans including those that implement hazard controls. 
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Appendix E: RESERVED 
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Appendix F : CTS FTRR/FRR Milestone Data 

The following types of data support FTRR/FRR milestone assessments: 

1 . Mis sion/Flight Test Obj ectives . 

2. Mission/Flight Test Risks 

a. All open risks or watch items. 

b. Tasks or activities during the flight that are required to mitigate a recurrent risk. 

c. Tasks or activities planned during the flight that significantly change the likelihood or 
consequence of a risk. 

d. Identify acceptance rationale for all risks. 

3. CTS Design Modifications from the Certification Baseline. 

a. Modification requirements 

1) Waivers/exceptions to requirements or standards. 

2) Flight test specific modifications. 

b. Requirement implementation 

1) Trade studies and analyses that support design decisions. 

2) Assessment of the risk of LOC/LOM and associated level of uncertainty. 

3) Significant technical issues/anomalies and planned resolution. 

4) Significant risks, mitigation strategies, and expected residual risk. 

c. Requirement V&V strategies and results of tests, analyses, and evaluations. 

1) Implementation of capabilities identified for crew survivability. 

2) Implementation of hazard controls. 

3) Critical (sub)system performance. 

4) Integrated performance of critical (sub)systems. 

5) Critical software performance, security, and safety. 

4. As-Built CTS Integrated Space Vehicle. 

a. Changes and waivers to requirements for refurbishment, production, assembly, and integration 
from established baseline (e.g. Material Review Boards (MRBs) and Material Usage Agreements 
(MUAs).) 

b. Implementation. 

1) Changes to plans and procedures for logistics, production, assembly, and integration. 

2) Compliance with configuration management and maintenance plans. 

3) Significant technical issues/anomalies and planned resolution. 

c. V&V results for the as -built CTS integrated space vehicle. 

1) Implementation of crew survivability hardware, software, and procedures. 

2) Implementation of hazard controls in hardware, software, and procedures. 

3) Critical (sub)system performance. 

4) Integrated performance of critical (sub)systems. 

5) Critical software performance, security, and safety. 

6) Human-system performance. 

5. CTS Launch, Mission, and Recovery Operations. 
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a. Changes and waivers to requirements for launch, mission, and recovery (including flight test or 
flight unique changes). 

b. Implementation. 

1) Changes to operational processes, plans, training, software, and facilities. 

2) Changes to operational controls for hazards. 

3) Significant technical issues/anomalies and planned resolution. 

c. Verification results for changes to the operations system. 

1) Changes to operational processes, plans, training, software and facilities. 

2) Changes to operational controls for hazards. 

3) Waivers/Deviations/Exceptions applicable to operations products. 

d. Verification that the CTS will be operated within the CTS certification during flight/flight test. 

e. Readiness assessments for operations systems, personnel, crew, and procedures. 

f. For ISS Stage Operational Readiness Reviews (SORR) preceding FRRs: 

1) Resources (hardware, software, data, analysis, or items in the manifest) being delivered, 
completed, or returned by each mission. 

2) All open risks or watch items that may potentially affect the crewmember(s) or commercial 
spacecraft’s ability to complete their stay on-orbit. 

3) Tasks or activities during the flight and/or stage that are required to mitigate a recurrent risk. 

4) Tasks or activities planned during the flight and/or stage that significantly change the 
likelihood or consequence of a risk. 

5) Identify acceptance rationale for all risks. 

6. Anomalies from the previous flight test/missions (including non-CTS flights) that affect the CTS 
certification and their resolution. 

7. Closeout of actions from NASA-chaired Mission and Flight Test Readiness Reviews. 

8. Assurance of compliance to Commercial Provider processes. 

a. Configuration and data management. 

b. Modification, production, and operation processes. 

c. Risk management. 

d. Safety analyses. 

e. Reliability analysis. 

f. Quality assurance management. 
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Appendix G: Typical Technical Milestone Reviews 

Descriptions of typical Milestone Reviews are shown below: 



Table G-1: Milestone Reviews 

Review 

Description 

System 
Requirements 
Review (SRR) 

The SRR examines the functional and performance requirements defined for 
the system and the preliminary Program or Project Plan, and ensures that the 
requirements and the selected concept will satisfy the mission. 

System Definition 
Review (SDR) 

The SDR examines the proposed requirements, the mission/system 
architecture, and the flow down to all functional elements of the system. 

Preliminary Design 
Review (PDR) or 
Integrated PDR 
(IPDR) 

The PDR demonstrates that the overall program preliminary design meets all 
requirements with acceptable risk and within the cost and schedule 
constraints, and establishes the basis for proceeding with detailed design. It 
shows that the correct design options have been selected, interfaces have been 
identified, and verification methods have been described. Full approved cost 
and schedules, as well as all risk assessment, management systems, and 
metrics, are presented. 

Critical Design 
Review (CDR) or 
Integrated CDR 
(ICDR) 

The CDR, or ICDR, demonstrates that the maturity of the program's design is 
appropriate to support proceeding full-scale fabrication, assembly, 
integration, and test, and that the technical effort is on track to complete the 
flight and ground system development and mission operations in order to 
meet overall performance requirements within the identified cost and 
schedule constraints. Progress against management plans, budget, and 
schedule, as well as risk assessment, are presented. 

System Integration 
Review (SIR) 

The SIR evaluates the readiness of the project to start flight system assembly, 
test, and launch operations. V&V plans, integration plans, and test plans are 
reviewed. Test articles (hardware/software), test facilities, support personnel, 
and test procedures are ready for testing and data acquisition, reduction, and 
control. 

System Acceptance 
Review (SAR) 

The SAR verifies the completeness of the specific end item with respect to 
the expected maturity level and to assess compliance to stakeholder 
expectations. The SAR examines the system, its end items and 
documentation, and test data and analyses that support verification. 

Design Certification 
Review (DCR) 

The DCR formally documents the configuration baseline (hardware, 
software, and processes used in design, production, and operations) and the 
conditions under which the CTS is certified (performance, fabrication and 
operational environments, constraints). 

Operations 
Readiness 
Review (ORR) 

The ORR examines the actual system characteristics and the procedures used 
in the system or product's operation, and ensures that all system and support 
hardware (flight and ground), software, personnel, and procedures are ready 
for operations and that user documentation accurately reflects the deployed 
state of the system. 
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Review 

Description 

Flight Readiness 
Review (FRR) 

The FRR examines tests, demonstrations, analyses, and audits that determine 
the system's readiness for a safe and successful flight/launch and for 
subsequent flight operations. It also ensures that all flight and ground 
hardware, software, personnel, and procedures are operationally ready. 

Post-Launch 
Assessment Review 
(PLAR) 

The PLAR is an assessment of system in-flight performance. For human 
space flight, the PLAR is performed by the CTS Mission Management Team 
(MMT). 

Critical Event 
Readiness Review 
(CERR) 

The CERR is a review to confirm readiness to execute a critical event during 
flight operations. For human space flight, the CERR is performed by the CTS 
MMT. 

Post-Flight 
Assessment 
Review (PFAR) 

The PEAR is a human space flight review that occurs after a flight mission in 
order to assess whether mission objectives were met and the status of the 
returned vehicle. 

Decommissioning 
Review (DR) 

The DR confirms the decision to terminate or decommission the system and 
assess the readiness for the safe decommissioning and disposal of system 
assets. 
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Appendix H: CCP Milestone Review Data 

The following types of data support the CCP milestone reviews: 


Data 

1 . Assessment of meeting the CTS Design Reference Mission (DRM) objectives 


2. Operations Concept 


3. CTS Integrated Space Vehicle (Launch Vehicle, Spacecraft) Architecture 

a. Design requirements and standards (including variances to NASA requirements and 
standards) 

b. Design baseline 

c. External Interface Agreements 


4. CTS Production Architecture 

a. Design requirements and standards for facilities and systems to support production and 
assembly of the integrated space vehicle 

b. Design baseline for production facilities and systems 

c. External Interface Agreements 

d. Plans and processes for production and assembly 

e. Evidence of compliance with the plans and processes for production and assembly 


5. CTS Operations Architecture 

a. Design requirements and standards for facilities and systems to support integration, launch, 
flight, and recovery of the crew and vehicle 

b. Design baseline for operations facilities and systems 

c. External Interface agreements 

d. Operations Plans for integration, launch, flight, and recovery 

e. Operations Training Program for integration, launch, flight, and recovery 

f. Operations Execution Process for integration, launch, flight, and recovery 

g. Operations Review Process for integration, launch, flight, and recovery 

h. Evidence of Compliance to the Operations Plans for integration, launch, flight, and recovery 

i. Evidence of Compliance to the Operations Training Program for integration, launch, flight, 
and recovery 

j. Evidence of Compliance to the Operations Execution Process for integration, launch, flight, 
and recovery 

k. Evidence of Compliance to the Operations Review Process for integration, launch, flight, 
and recovery 


6. Integrated design and safety analyses, especially those effecting: 

a. Abort and catastrophic event prevention and crew survival strategy 

b. Implementation of capabilities identified for crew survivability and crew survivability 
procedures 

c. Eailure tolerance levels 

d. Hazard identification and control methods 
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Data 

e. Implementation of procedural hazard controls 


7. Assessment of the risk of LOC/LOM and associated level of uncertainty 


8. Significant technical issues/anomalies and planned resolution 


9. Significant risks, mitigation strategies, and expected residual risk (Technical and Programmatic) 


10. Crew usability & human system performance, crew workload, and human error analyses 


11. Verification & Validation (including Flight Test) 

a. Verification and validation strategies and plans 

1) Critical (sub)system performance 

2) Integrated performance of critical (sub)systems 

b. Verification and validation results 

c. Flight Test Plan & Objectives 

d. Flight Test Results 


12. Certification Plan 


13. Closeout of actions from NASA-chaired reviews 


14. Management Plans 

a. Program Management Plan 

b. Configuration Management Plan 

c. Risk Management Plan 

d. Safety and Reliability Plan 

e. Requirements Management Plan 

f. Quality Management Plan 

g. Software Safety Plan 

h. Radioactive Materials Usage Report 

i. Human System Integration Strategy 

j. Software Development Plan 

k. Margin Management Plan 


15. Assurance of compliance to Commercial Provider processes. 
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